Can A Cybercrime Convention For All Be Achieved?

A new UN cybercrime treaty process is raising strong awareness about one of the biggest global challenges and the complexities of addressing it. 

At the end of February, negotiations for a UN treaty to counter cybercrime began. This is significant for many reasons.

Firstly, while there are several instruments that address cybercrime, this is not only the first time states are negotiating a binding UN instrument on cybercrime, but also the first time states are negotiating a binding instrument on any cyber issue.

Secondly, the convention has the potential of reducing impunity of cybercriminals by harmonizing national approaches to criminalization. Relatedly, the convention could play a crucial role in improving international cooperation by providing effective investigatory frameworks and facilitating cross-border data exchange.

Moreover, the convention  could help build the capacity of countries with less experience in tackling cybercrime and provide the basis for technical assistance.

Challenges Lie Ahead

Despite such potential, the process of negotiation will not be straightforward. This became glaringly evident during the first of six rounds of negotiations, held between the 28th of February and the 11th of March, when several areas of divergence but also convergence emerged.

Cybercrime causes significant harm to developing countries’ societies and economies, which has only been exacerbated by the pandemic.

Over the course of the first ten days of negotiations, many delegations from developing countries expressed their urgent need for a practical legal tool that could help them tackle cybercrime. This issue causes significant harm to their societies and economies, which has only been exacerbated by the COVID-19 pandemic.

Many developing countries – including those represented by CARICOM – are optimistic about the role this convention could play in fighting cybercrime, bridging the digital divide, and harnessing the potential of ICTs. 

But to get there, there are key points that states need to agree on. One of which is what is cybercrime and what should be included in the scope of the treaty?

Narrow Scope of Cybercrimes

Countries have varied objectives of what they want this treaty to achieve. Western countries, for example, want to see a convention which includes a narrow scope of crimes. ‘Pure cybercrimes’ are known as cyber-dependent crimes, which refers to crimes that cannot happen without the use of ICTs.

These are often ones where a computer or data is the target of the criminal activity, such as malware, denial of service attacks, ransomware, etc. and include crimes that do not predate the existence of ICTs. Cyber-dependent offences have definitions broadly recognized by all countries.

They also advocate for including certain cyber-enabled crimes. These are traditional crimes where ICTs were used as an instrument, rather than as a target of the offence. The concept of cyber-enabled crimes applies to a very broad range of offences given how ICTs have infiltrated almost every aspect of our lives. So the offences that they have argued to be included are the ones where the use of ICTs significantly increase the scope, speed, scale of the crime but also the anonymity of the perpetrator.

For these offences, two main examples are often given: online child sexual exploitation, and computer fraud. They call for strong human rights safeguards to be embedded throughout the treaty.

Expanded Scope Of Cybercrimes

Other countries, such as India for example, have stated that a limited convention may create more problems than solutions as technology evolves. They call for an expanded scope in the convention which, in addition to the pure cybercrimes, would include a longer list of cyber-enabled crimes.

The lists of offences vary between countries but include offences such as the use of ICTs for terrorist reasons, the distribution of narcotic drugs, and arms trafficking, in addition to content-related offences such disinformation, coercion to suicide, hate speech, extremism and others.

This expanded scope entails risks. First, several of those suggested traditional crimes are addressed in other instruments. Including them in this convention risks not only duplication of efforts but contradiction with other treaties, as well as with national approaches to these issues.

Second, some of the suggested content offences, such as extremist content, are treated differently in national jurisdictions. While some content is considered a criminal offence in one jurisdiction, it might be subject to civil liability in other jurisdictions or entail no liability at all.

The UN Human Rights Office highlighted how cybercrime laws have been used to impose overly broad restrictions on free expression.

In its submission to the process, the UN Human Rights Office stated that a future convention should focus on core cybercrimes and should avoid including content offences. It highlighted how cybercrime laws have been used to impose overly broad restrictions on free expression by criminalizing various online content related to extremism, terrorism, public morals or hate speech. The OHCHR stressed the importance of a future international instrument on cybercrime not to be interpreted as justification for such steps.

The Risk Of No Consensus

But it is very important to note that this debate on trying to define what should and should not be considered cybercrime is at least a decade old. This debate has happened in several contexts including at the UN, where an agreement on a single definition of cybercrime was not possible.

There is nothing to suggest that this might change in the context of this process. Ultimately, this means there is a risk of not achieving consensus, and not having a convention at the end of this rather short process. If this was to happen, the countries who will probably be most affected are the developing countries.

Most developed countries have systems, resources, expertise and capabilities in place which enable them to tackle cybercrime. Western countries, for example, have a long history of working on cybercrime issues nationally but also regionally and internationally. They are state parties to the Budapest Convention and have good cooperation mechanisms within regional bodies such as Europol.

However, the same cannot be said about developing countries. As some delegations have highlighted during the negotiations, often international cooperation on cybercrime does not fail due to lack of will but rather lack of capacity. And whilst some of these countries have also ratified the Budapest Convention, their resources and capabilities tend to be unsurprisingly significantly less than those of developed countries.

Whilst some developing countries have also ratified the Budapest Convention, their resources and capabilities to tackle cybercrime tend to be unsurprisingly significantly less than those of developed countries.

Whether or not a UN convention on cybercrime is needed is also an old debate. However, the process currently underway presents an opportunity for many delegations from the developing countries to have a tool that would facilitate international cooperation on cybercrime and help them tackle the challenge. But can this be achieved in this process?

A Legal Basis For Gathering Data

Despite the differences between countries on how to define cybercrime for the purpose of the treaty and what to include in the scope, most countries acknowledge that the convention should include criminal activities committed that are broadly recognized by the international community.

Some delegations have suggested that the convention could act as a legal basis for the gathering of electronic evidence without linking cooperation to the investigation of certain offences that the convention sets out.

As put in the Chinese submission to the UN process, ‘regarding other crimes committed by using ICTs, member states could prevent and combat relevant crimes, which are not listed in this convention, and carry out international cooperation in accordance with this convention, other international conventions and their respective domestic laws.’

This approach has been successfully used in the context of the United Nations Convention against Transnational Organized Crime (UNTOC) where the convention criminalized a specific set of core types of organized crime activity but included broad international cooperation provisions that can be applied to other types of serious crime committed.

There is palpable eagerness amongst many countries about having an instrument that can help them address the problem of cybercrime that is impeding them from harnessing the potential of ICTs.

Several states have argued for a similar approach to be followed in this process which would mean that defining the different types of criminal behaviour becomes less important as states will have a legal basis for gathering and exchanging data, irrespective of the criminal offences covered in the convention.

There is palpable eagerness amongst many countries about having an instrument that can help them address the problem of cybercrime that they have been grappling with for several years, a problem that is impeding them from harnessing the potential of ICTs in their own countries.

Countries realize that this convention can give them the tools they need to leapfrog into a place where they have a better grip of the situation. How likely it is that this will happen is difficult to say, but what is clear is that this process is raising strong awareness about one of the biggest global challenges and the complexities of addressing it.

Joyce Hakmeh is Senior Research Fellow, International Security Programme  at Chatham House and  Co-Editor of the Journal of Cyber Policy.

You Might Also Read: 

Tackling Cybercrime: Time For The Regional Gulf Cooperation Council To Join Global Efforts:

 

« US Banks Hit By Russian Cyber Attacks
No future For IoT Security Without Secure Access Service Edge (SASE) »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Secure Technology Alliance

Secure Technology Alliance

Secure Technology Alliance is a multi-industry association working to stimulate the adoption and widespread application of secure solutions.

Private Internet Access

Private Internet Access

Private Internet Access is a Virtual Private Network services provider offering secure encrypted access to the internet.

Arab Information & Communication Technologies Organization (AICTO)

Arab Information & Communication Technologies Organization (AICTO)

The Arab ICT Organization (AICTO) is an Arab governmental organization working under the aegis of the league of Arab States.

Carbide

Carbide

Carbide (formerly Securicy) breaks down enterprise-class security and privacy requirements and makes them accessible to, and achievable by, companies of all sizes.

DeuZert

DeuZert

DeuZert is an accredited German certification body in accordance with ISO/IEC 27001 (Information Security Management).

Vaadata

Vaadata

Vaadata are experts in ethical hacking. We secure your web, mobile and IoT platforms.

Penten

Penten

Penten is an Australian-based cyber security company focused on innovation in secure mobility and applied AI (artificial intelligence).

Stairwell

Stairwell

Stairwell is building a new approach to cybersecurity around a vision that all security teams should be able to determine what’s good, what’s bad, and why.

Speedinvest

Speedinvest

Speedinvest is one of Europe’s most active early-stage investors with a focus on Deep Tech, Fintech, Industrial Tech, Network Effects, and Digital Health.

CyberLab

CyberLab

CyberLab (formerly Chess) is a specialist cyber security company that provides a wide range of security solutions and services.

BreachQuest

BreachQuest

BreachQuest brings together cybersecurity experts with decades of experience identifying security flaws, penetrating networks, and responding to incidents.

Cheops Technology

Cheops Technology

Cheops is a specialist in IT Business Technology Services. We help SMEs and large companies build, optimize and manage their IT so they can focus on their core business.

Seccuri

Seccuri

Seccuri is a unique global cybersecurity talent tech platform. Use our specialized AI algorithm to grow and improve the cybersecurity workforce.

Banyax

Banyax

Banyax provides 24×7 real-time Cyber Defense Center Services using the latest technology tools to provide state-of-the-art defense.

Nova Microsystems

Nova Microsystems

Nova's mission is to revolutionize cybersecurity through continuous data analysis and dynamic AI-driven encryption.

A&O Shearman

A&O Shearman

A&O Shearman is a law firm at the forefront of the forces changing the current of global business: energy transition, life sciences, technology, private capital, finance and beyond.